scispace - formally typeset
Search or ask a question
Author

Huiping Sun

Bio: Huiping Sun is an academic researcher from Peking University. The author has contributed to research in topics: Password & Usability. The author has co-authored 1 publications.

Papers
More filters
Book ChapterDOI
23 Nov 2020
TL;DR: In this article, a new direction of generating honeywords - generating by transforming password hashes - is proposed, which attains expected levels of flatness, security, performance and usability. But, it does not have the ability to generate a set of decoy passwords together with real passwords.
Abstract: Since systems using honeywords store a set of decoy passwords together with real passwords of users to confuse adversaries, they are strongly dependent on the algorithm for generating honeywords. However, all of the existing honeyword generating algorithms are based on raw passwords of users and they either need lots of storage space or show weaknesses in flatness or usability. This paper proposes HoneyHash, a new direction of generating honeywords - generating by transforming password hashes. Analyses show that our algorithm attains expected levels of flatness, security, performance and usability.

3 citations


Cited by
More filters
Proceedings ArticleDOI
01 Jun 2022
TL;DR: Lethe is a honeywords-based data-breach detection system that requires no trusted components, other than a trusted bootstrap, and keeps limited transient state for verifying login attempts, and is the first system that allows an attacker to fully compromise the HGT without affecting the security of already generated honeywords.
Abstract: Honeywords are false passwords associated with each user account. Using a honeyword to login sets off an alarm as a data breach has been detected. Existing approaches for detecting data breaches using honeywords suffer from the need of a trusted component to tell honey-words from the valid password. Once this trusted component is compromised, then honeywords can offer no assistance for mitigating or detecting a data breach. In this paper, we present Lethe, a honeywords-based data-breach detection system that requires no trusted components, other than a trusted bootstrap, and keeps limited transient state for verifying login attempts. Lethe is based on two fundamental principles. First, Lethe generates honeywords using a Machine Learning (ML) model, which constantly evolves. This means that an attacker that compromises the Honeyword Generation Technique (HGT) cannot reproduce the same set of honeywords, and thus cannot tell which password was used as the initial generator. In particular, Lethe is the first system that allows an attacker to fully compromise the HGT without affecting the security of already generated honeywords. Second, Lethe is not aware of the valid password. In fact, for Lethe the only one that knows the actual password is the user that selected it in the first place. Lethe records login events, but without storing anywhere the password used. These login events can be further replayed in another server, which can check if, for a particular user, there were at least two different passwords used and therefore detect a data breach. Lethe allows the detection of a data breach deterministically and not probabilistically as similar approaches do. Additionally, Lethe allows detecting data breaches that are associated with rarely used accounts. Lethe can signal an alarm even if a user account that has logged in just once with the system is compromised. This is in contrast to other efforts that require legitimate users to authenticate with the system, after the attacker has done so, for detecting the breach. To demonstrate the effectiveness of Lethe, we provide a fully functional prototype, along with the ML-based HGT, and assess the provided security with a set of diverse attackers.

2 citations

Proceedings ArticleDOI
01 Jan 2022
TL;DR: This work proposes a new architecture for the passwordle that makes use of multiple servers and is able to defend even against attackers that manage to compromise all servers - as long as they do not do it at the same time.
Abstract: : Over the last decade, we have seen a significant number of data breaches affecting hundreds of millions of users. Leaked password files / Databases that contain passwords in plaintext allow attackers to get immediate access to the credentials of all the accounts stored in those files. Nowadays most systems keep passwords in a hashed salted form, but using brute force techniques attackers are still able to crack a large percentage of those passwords. In this work, we present a novel approach to protect users’ credentials from such leaks. We propose a new architecture for the password file that makes use of multiple servers. The approach is able to defend even against attackers that manage to compromise all servers - as long as they do not do it at the same time. Our prototype implementation and preliminary evaluation in the authentication system of WordPress suggests that this approach is not only easy to incorporate into existing systems, but it also has minimal overhead.
Proceedings ArticleDOI
01 Jun 2022
TL;DR: Lethe as mentioned in this paper is a honeywords-based data-breach detection system that requires no trusted components, other than a trusted bootstrap, and keeps limited transient state for verifying login attempts.
Abstract: Honeywords are false passwords associated with each user account. Using a honeyword to login sets off an alarm as a data breach has been detected. Existing approaches for detecting data breaches using honeywords suffer from the need of a trusted component to tell honey-words from the valid password. Once this trusted component is compromised, then honeywords can offer no assistance for mitigating or detecting a data breach. In this paper, we present Lethe, a honeywords-based data-breach detection system that requires no trusted components, other than a trusted bootstrap, and keeps limited transient state for verifying login attempts. Lethe is based on two fundamental principles. First, Lethe generates honeywords using a Machine Learning (ML) model, which constantly evolves. This means that an attacker that compromises the Honeyword Generation Technique (HGT) cannot reproduce the same set of honeywords, and thus cannot tell which password was used as the initial generator. In particular, Lethe is the first system that allows an attacker to fully compromise the HGT without affecting the security of already generated honeywords. Second, Lethe is not aware of the valid password. In fact, for Lethe the only one that knows the actual password is the user that selected it in the first place. Lethe records login events, but without storing anywhere the password used. These login events can be further replayed in another server, which can check if, for a particular user, there were at least two different passwords used and therefore detect a data breach. Lethe allows the detection of a data breach deterministically and not probabilistically as similar approaches do. Additionally, Lethe allows detecting data breaches that are associated with rarely used accounts. Lethe can signal an alarm even if a user account that has logged in just once with the system is compromised. This is in contrast to other efforts that require legitimate users to authenticate with the system, after the attacker has done so, for detecting the breach. To demonstrate the effectiveness of Lethe, we provide a fully functional prototype, along with the ML-based HGT, and assess the provided security with a set of diverse attackers.